In a payment industry first, a sporting-goods retailer has filed a multimillion-dollar lawsuit against Visa, arguing that the penalties the credit card company charges its members for data security breaches are unfair.
As reported by Wired, retailer Genesco alleges that Visa seized some $13m in funds from its merchant bank …

I would say FFS, Visa are a financial institution so what do Genesco expect them to do, except rip them off for any excuse.

BUT... any fines imposed should be in direct relation to potentional loss.

13M sounds like one hell of a fine for a security breach with no proven victims. A couple of K per day may be reasonable for a large customer base with full reparation for all proven cases of identity theft plus actual costs for contacting customers who may or may not have be subject to fraud.

thirteen million seems quite reasonable considering the number of transactions that the company must be processing through its shops and online business. It is absolutely essential to punish companies for data breaches, its the only want to force them to take data security seriously.

Re: @David Ward

I havent looked at the notes or case but it sound like they had a breach or suspected breach of some kind and contained it so there was no data loss. sounds like a win to me and a good example to show best practice in the event of a breach. Fine of 13M looks disproportionate. Sure a fine proportionate to VISA actually conducting an investigation to make sure there was no data leakage but apart from that the rest looks more like racketeering.

But what about the real victims?

And how many of those whose personal information was exposed have been informed? Had an opportunity to verify their accounts (rather than have to do it every month, if they remember, and then write a letter, follow it up, shake them down, follow it up again, etc all in the hope that $1100 payment will might may one day be returned?

If that had been done, the Court would have as evidence what and who was impacted, rather than be debating the amounts.

Re: Packet Sniffing software on the network

For larger orgs the POS may not communicate directly with the bank, instead they send the CC (encrypted) to a central hub device, which in turn passes it on the vendor/bank for authorisation.

According to PCI DSS encryption is only required on 'public and open networks' - hence it does not have to be encrypted once it hits the 'safe' hub network before being sent to the bank (it will be encrypted when it leaves the network to the bank though).

The sniffer was most likely on this hub network, sniffing clear text CC data on a PCI compliant network - not between the POS and the server.

Without details I can only guess.

Simply ticking all the PCI DSS compliant boxes will not protect you from being found liable and fined - albeit a stupid amount in this case.

Part of their defence (from the linked Wired article) appears to be that because of regular server reboots the card numbers in their server log files would have been overwritten before the hackers got to it (though what a packet sniffer is doing reading log files is not stated). Persisting unencrypted card data to log files is very much a PCI DSS violation and shows a level of incompetence I can't begin to understand.

All that being said, if VISA can't prove that any fraud was carried out using the cards that may have been compromised during the breach then they really shouldn't be gathering fines. I know that absence of evidence of fraud isn't evidence of absence, but legally it almost certainly is so the fines levied sound to be in serious danger of being overturned, assuming that the rules outlined in the Wired article are those that should apply in this scenario (more than 10,000 cards breached, PCI violation leading to the breach, more fraud than normal occurred on the cards in question).

Non-compliance with PCI-DSS

As you say, writing complete card numbers to log files is a big no-no. Even if there hasn't been any breach, I'd be fine with Visa fining them.

I don't know Visa's conditions but it sounds reasonable to fine based on non-compliance regardless of breaches... too much costly investigations and useless fingerpointing otherwise. If their security isn't in order, they could have been breached (even if they weren't) putting credit card customers at risk.

> Part of their defence (from the linked Wired article) appears to be that because of regular server reboots the card numbers in their server log files would have been overwritten before the hackers got to it

Looks like what we might have here is a case of chinese whispers: You say "card numbers", the Wired article says "card data", but the actual statement from Genesco's complaint (as quoted in the Wired article) says "data relative to those accounts" - which could mean anything from DNA samples to simple HTTP user-agent strings.

DNA or HTTP headers are not "data relative to those accounts". HTTP headers may be classified as data relative to the processing of the transaction, but the "accounts" in question are the VISA card details.

I think you'll find that "data relative to those accounts" is legal speak for cardnumber, CVC, expiry date, etc. - the data required to actually perform a transaction against the card in question. Section 18 of their complaint effectively lays out what this data is (the mag stripe data). They claim that such data may be retained unencrypted for the duration of the authorisation; this may be true, but my understanding (having had to do this kind of thing) is that you may briefly store such data in memory (pretty much unavoidable given that computers are involved), but it is preferable that this be done encrypted until such time as the unencrypted data is required, i.e. you decrypt just as you're generating the request and sending it to the bank. Logging any of it, unencrypted, is a no-no.

Section 54 of the complaint states that the log files would have been overwritten before they could have been exfiltrated, so no "data relative to those accounts" could have been compromised via the logs. This kind of suggests that some account data was being logged - why would you bother mentioning that you were storing data unrelated to the complaint in a log file in a motion to have your money returned? The only useful data in this context is card numbers, expiry dates, etc. I may be reading between the lines, but it seems a reasonable assumption to me.

Forgot to mention that this approach would also give business decision makers a tangible dollar value to security controls, rather than vague threats of fines. Which would get them taking security seriously for once.

Sorry Guppy...

???

Why can Visa even fine companies? they are only a financial company not a government body.

I have a customer who is in the process of having a PCI DSS done from sysnet, yet the criteria that the software compliance check was done was actually quite a few years old and I drew their attention to this - and was ignored.

If I recall the compliance failed on something like SP1 on exchange 2003 not being installed yet they were running SP2 and all the patches that MS had put out was installed too.

Im clearing down my debts with visa, some of my unused cards are now 29.9%, so it seems that they are just getting far too greedy. Time to stop using visa completely. Robbing gets.

Re: ???

If you understood so much about PCI DSS, you'd surely not make comments like "Im clearing down my debts with Visa". Your debts, as you surely know, are not with Visa, but with the card issuer, likewise the interest rates are not set by Visa but the card issuer.

Yeah, Visa Are Robbing Gets

But what's a merchant to do? Stop accepting Visa? Good luck with that.

Anyway, back to the story - from what I've read, Genesco had a previous run-in with Visa for what they call "noncompliance". They obviously didn't take that seriously enough.

I can't believe they didn't encrypt card data going through their POS network. If I was their legal team, I'd be looking at the company that supplied the POS software - was it sold as being PCI DSS compliant?

Re: Yeah, Visa Are Robbing Gets

More to the point, I'd also be looking for the company that did the PCI DSS compliance checking and were it the case that they didn't get an external PCI DSS compliance check, I'd be reaching for a pad of P45s and summoning the people who made the decision not to do one.

It's a big fine, but I don't really have much sympathy - anyone who knows anything about PCI DSS knows that you don't allow card data to be sent in the plain outside of a highly secured network - assuming that a POS is or even can be in a secure network is asking for it.

The irony here is that it's VISA handing out fines..

OK, I admit it, I have a dog in this fight, but it's because I have been looking at the problems with card transactions for quite some time (> 10 years).

The security model of card transactions has been flawed from the moment "card not present" payments were accepted (read: since you could buy things by phone), and especially VISA and Mastercard have brilliantly avoided their responsibilities by making every participant in the scam accepting responsibility instead of themselves. EVM, CCV, 3D Secure - they're gaffer tape over cracks, camouflage for what is in reality a fully broken model. Credit to them that they got away with it for so long, but this case yields some hope that the scam will end at some point.

The only organisations that can address the deficiencies are the transaction carriers such as VISA and Mastercard themselves, but as they are the only link in the chain that does NOT suffer after a breach there is no incentive. As a matter of fact, the opposite is true - to truly address the issue would require replacing all the hardware and infrastructure, and that is surely not going to happen without pressure, pressure they have neatly rolled off to others. They have covered up deficiencies by throwing PCI compliance processes at others, the reality is that the real problems reside in the centre.

This merchant gets basically fined for not protecting VISA and Mastercard. Not for a compliance failure. Personally I hope the merchant wins, because it's time something happens.

It's ridiculous that people in the 21st century still have to rely on security that was already inadequate in the 20th.

Re: The irony here is that it's VISA handing out fines..

The solution is to make Visa et al responsible for all chargebacks on transactions they approve. The security would improve immediately.

OK, give them some time by phasing it in so the first year Visa is responsible for 20% of the chargeback, the next year 40%, etc.

As it is, card not present transactions make more money for Visa when they're fraudulent than when they're legitimate. In the case of fraud, the merchant is out the merchandise, all the original transaction fees, plus a hefty ($50 on a $4.95 transaction in one egregious case) fee for Visa to "investigate." And in this particular example we could show that not only was the address verified, but the CVV2 was correct, the email the software was sent to matched the cardholder's, and there were phone records of us talking to the customer, who later claimed that he had no knowledge of the transaction.

And in the States it's the Secret Service who is in charge of investigating credit card fraud. We filed a complaint in this case (just to show we're bastards too) but I suspect the Secret Service thinks they have higher priorities.

Legacy

The problem with PCI is that many legacy systems which pre-date it cannot be made compliant without considerable expense if at all. Imagine the situation of spending over a million for compliance which would take 9 to 12 months or waiting for the refurbishment capital programme to replace the legacy equipment on a rolling basis over the next 24 months; or even having a system that can't be compliant.

This leads to use of compensating controls and piecemeal fixes just to satisfy the (at times frankly bizarre) compliance rules, sounds like the retailer had some sort of kludge in place to do just this.

Once heard senior VISA/Mastercard security guys claim that no PCI compliant system had ever been breached using that logic that if it had been breached it couldn't have been complaint in the first place.

Re: Legacy

And for smaller retailers, they may actually lack the capital to perform the compliance upgrade. Taking away from the marketing budget could hurt them in the fact of competition from big-boxers like Dick's and Sports Authority. So they're caught in a Devil's Dilemma. They're contractually obligated to do it but can't afford it.

Re: Legacy

Re: Legacy

The problem with PCI is that many legacy systems which pre-date it cannot be made compliant without considerable expense if at all.

That compliance also only addresses a fragment of the problems in the chain. There's also user committed fraud, card theft and cloning, MITM and infected user computers, terminals and even payment machines with a backdoor - the whole system sucks in multiple ways.